With Exchange 2013, Outlook Anywhere (aka RPC over HTTP/s) is the default method for Outlook clients connections – that is no more direct RPC connections to the servers for Outlook clients. Exchange 2013 will essentially require you to utilize Autodiscover and Outlook Anywhere to actually get your Outlook client connected. This is the main reason for writing this post. This information will come useful if you are getting ready or already started to deploy Exchange 2013, I’ll try to keep it simple and write this down as a list of things to consider so this will be rather easy to all.

If you followed my post about how to prevent Outlook Anywhere from being configured and removed the EXPR outlook provider, start with restoring it. Run the following powershell command to restore it:New-OutlookProvider -Name:EXPR

If you’re using any additional methods to configure Outlook Clients or Outlook Anywhere like, static XML files, Registry settings or Group Policy settings make sure to revise or even remove them. See also http://support.microsoft.com/kb/2212902

Plan the CertPrincipalName value you will use, that is the certificate Subject Name that your clients will use to populate the msstd:server.domain.com value – both internally and externally (reminding you to see the note above). My personal best practice is to use the same Subject Name on the certificate you will use on your External TMG/UAG/Juniper/F5 reverse proxy and your internal server or servers.
Once you are aware of this value you can configure your Outlook Provider accordingly (you can refer to this post for more information on the subject).

If you installed a wildcard certificate on your Exchange 2013 server – you must perform the following:

Don’t freak out when you see Exchange 2013 “new” server name – it’s value is actually the Mailbox GUID value, and will be unique for all users. This means that – you must use the Autodiscover wizard to configure outlooks from now on, Email, password and click next.
If you have full mailbox access to a different mailbox – that’s great- just type it’s email address and enter whatever you want for password. (will work only inside the LAN…)

109 thoughts on “Exchange 2013 Outlook Anywhere Considerations”

hey,
in exchange 2010 we create CAS Arry and in that array we add CAS servers of the Site so that user connect to that array for RPC/outlook and then we configure out mailbox databases to use that array for high avilibility.
in exchange 2013 what we have to do because after running the command

Get-MailboxDatabase | select name,rpcclientaccessserver | ft -auto
i only see one CAS server which mean if that CAS server goes down my client will not connect to
exchange any more.as you know there is not more CAS array and exchange use outlook anywhere for communication with client.
do we have other method to make this work ?
Regards

Hi Ali,
The RpcClientAccessServer property doesn’t affect client connectivity with Exchange 2013.
With Exchange 2013 you create a DNS record which will point to your CAS (Front End) Server/s, then using Autodiscover – clients use RPC over HTTP to access the server. The mail profile is then configured to point to their mailbox GUID instead of the “old fashion” RPC endpoint.

That’s basically it. Then no “cas array” in Exchange 2013.. well not in the form of an RPC endpoint anyhow.

I’m upgrading from Exch 2007 to Exch 2013 – all the clients default to Anonymous Authentication and this wrecks havoc – ran steps 4 and 6 – and then it updates to Negotiate Authentication automatically, but for some unknown reason, unless I go into Control Panel, Mail, Email Accounts, Security (see that Negotiate Authentication is selected and Encrypt Data is checked) then click OK, and then click NEXT – the clients will still ask for password. This is not the ideal solution as it requires me to touch all the clients, but on the upside, it works when I do it that way..
Thanks for the post – a definite improvement over the clients not authenticating properly.

After installing Exchange 2013 and using wild card certificate , from outlook 2013 working fine.When we connected from outlook 2007 and 2010, always asking passoword . Even if we type right password, was not accepting. When we are configuring manually for outlook 2007 and 2010
without msstd , working fine.

Nice article. But when you say “you must use the Autodiscover wizard to configure outlooks from now on”, does that mean you can’t use a PRF file anymore? The reason I ask is I’m trying to get a PRF file from the Office 2013 DVD to work, but no matter what I type in I get errors when Outlook starts. If I don’t import the PRF file then Outlook auto configures itself perfectly. Thanks!

I guess you are referring to what exactly to type in the “servername” ? i’d advise to use the “Automatically configure profile based on Active Directory Primary SMTP address” setting , see the link look for zeroconfigexchange , that’s what you want to do.
ilantz

Well, keep in mind that DNS isn’t really load balancing, with current versions DNS round robin will always return to the client the IP by subnet mask ordering which will probably render to the “lowest” IP value…
for external clients you can use any reverse proxy that supports a FARM configuration. the new server 2012 R2 Web Application Proxy will do the job great – or any other solution (TMG/F5/Juniper etc..)
ilantz

I was having problems with XP/Outlook 2010 clients connecting to Exchange 2013. I have spent all day trying to figure this out. Step 6B above fixed the problem. Your blog is the only place I have seen this step published. Thank you!

Hi, thanks for the helpful information. Am having a problem with my exchange 2013 environment. When users using outlook 2010 are connected they will get disconnected if they close and reopen outlook. I also notice that the connect to Microsoft using http is unchecked. Ay idea why?

Hi Michael,
all Exchange 2013 users’ profiles must be configured to use Outlook Anywhere, did you try to create a new profile for those Outlook 2010 users? also double check that you are using the supported Outlook version with Exchange 2013, the outlook.exe should at minimum in 14.0.6126.5000 – see
let me know what came up…
ilantz

Ilantz, thanks for replying. We have created new profile many times and that didn’t work. We are using outlook.exe 14.7015.1000. When the users are connected the outlook anywhere is showing checked where the “connect to Microsoft Exchange using Http in outlook connection tab but this is unchecked and grayed out when the users are disconnected. Noticed as well that am always connect with owa and active syn when this happened. One of my staff is using a virtual windows 7 and he is always connected so it seems like it only happen with the physical machine. Your help is greatly appreciated.

Around the Authentication do you HAVE to set the ExternalClientAuthenticationMethod to Basic? Or would the following still be ok:
– ExternalClientAuthenticationMethod = Negotiate
– InternalClientAuthenticationMethod = Ntlm
– IISAuthenticationMethods = {Basic, Ntlm, Negotiate}

I have exchange 2013 installed and with office 2010 outlook when I tried to configure my account it shows an error “Your e-mail server rejected your user name. Verify your user name for this account in Account Settings. The server responded: -ERR Command is not valid in this state” tried every thing you told but no resuld plz share some solution

Not sure How to do this still facing same problem and error I am stuck here for last few week no solution works … m new for this plz send steps ..and help me to resolve this error Your e-mail server rejected your user name. Verify your user name for this account in Account Settings. The server responded: -ERR Command is not valid in this state”

I’ve read your article carefully, and so many articles as well, but I am still confused by something. You mentioned this: “With exchange 2013 make sure you use only Autodiscover to configure a profile, not entering name and server name.” Can you confirm that this is correct?

The reason I ask this is that I have a test Ex2013 deployment where both CAS and MBX roles have been deployed to a single server. I have been able to configure Outlook profile for OUtlook Anywhere manually for this deployment.

On the other hand, I have another Ex2013 deployment where CAS and MBX are located on separate dedicated servers. Autodiscover works just fine, but I am not able to use Outlook Anywhere profiles created manually for the same mailbox. OA does work for mailboxes located on Exchange 2010 MBX server, even when I use Ex2013 CAS as a proxy server.

The strange thing is that during profile creation server name and mailbox name do get resolved properly, but once I try to start Outlook with that profile, I get an error Microsoft Exchange Server is unavailable…this is driving me nuts 🙁 do you have any clues what could be the problem here? I use the same internal & external URL and a simple public SSL cert with this name in it. For Autodiscover I use HTTP redirection method, and this is working perfectly OK.

On a side note, can you also confirm whether it is mandatory to populate CertPrincipalName values in Set-OutlookProvider? Mine have been empty ever since in an Exchange 2010 deployment and I never noticed a single problem…

Update: On one of your other posts, I found your tip to use ExchangeGUID instead of “normal” Exchange server name during manual setup. I tried it and it worked, thank you 🙂 however, this is not very convenient for end-users…is there a way to use the “normal” server name?

Hi Srdjan, as noted, with Exchange 2013 there isn’t really a ServerName. Your profile is configured to use your mailbox GUID as the server name… As you said the manual approach is not straight forward, and autodiscover is the way to go 🙂
Glad you’ve worked it out!
Ilantz

Hi Ilan, I was hoping your excellent articles would help me with this pain in the *ss problems with Exchange 2010 to Exchange 2013 migration. We have a user whose mailbox is already on Exchange 2013 and he is using Outlook 2013 as client. Despite following some of your articles this user still has problems accessing his mailbox.

Het gets a logon popup and although he fills it in correctly, the popup won’t go away it will return immediatley after pressing OK. and he is unable to use outlook. He also gets a certificate error (name does not match the name on the certificate). We are using a wildcard certificate.

– All URL’s off the exchange services/vdirs point to webmail.company.com
– i installed the *.company.com on both 2013 CAS servers
– outlookprovider EXCH and EXPR are set to msstd:*.company.com
– outlook anywhere authentication methods are set according your article(s)

The only way this specific user can access his outlook is de-selecting “HTTP on fast networks”. He then only needs to put in his credentials once and he is able to use Outlook. But after a while settings will be pushed from the server again and the problem starts all over again. It is driving me crazy!

Hi Ilan, thanks for your reply. An important thing to note and maybe nice to add to your article(s) (or did I miss it while reading?) is that if you change one or more settings with Outlook Anywhere, it can take several hours before every client has picked it up.

After being done with it (meaning you could almost take me to an mental hospital), I just left the Outlook Anywhere settings configured as recommended by you, and called it a day. Now that I have returned to the office all issues seem to be gone.
– certificate errors -> gone
– one time credentials popup -> gone
– infinite credentials popup -> gone

There is one additional step I made on the Exchange 2013 CAS servers; I removed the self-signed certificate. The IIS service was enabled on both 3rd part certificate and the self-signed certificate, assuming (assumptions, I know…) that could be causing a problem and being unable to remove the IIS service from the self-signed certificate, I decided to completely remove it. (After researching on how to correctly removing it).

To cut short:
– Outlook Anywhere settings take a while, several hours, to fully propagate
– Your articles were/are very helpful!
– Everything seems to be working fine now!

Hi, well because Exchange 2013 is all about outlook anywhere.. You should check your options with the publishing solution. That is control access on the edge, using what ever you have. F5/juniper/TMG etc…

hello there…. im having issues with autodiscover using outlook 2010 with Exchange 2010/2013 coexistence…. whether the user has a mailbox on 2010 or 2013, outlook will not automatically create the users profile…. its keeps on trying to connect to its mailboxes’ respective server and never configures… what am i missing? The environment is as follows:
1 Exchange 2010 HUB/CAS/MBX
2 Exchange 2013 CAS/MBX
OutlookAnywhere is enabled on all servers w/ NTLM configured

I did restart IIS and no go… outlook still tries to connect to the servers and never configures…. this network is strictly internal only, any user who connects to exchange will be physically connected to the LAN

Just wanted to say this was a life saver. I was banging my head against the wall searching for a solution. Mixed 2007 and 2013 environment. Tested everything (moves,autodiscover, etc) and thought this is easy. All testing was done with Windows 7.

Problem is we have 2003 terminal servers and kept getting the proxy certificate error with code 0. I hoped when I read another comment about it solving the issue for XP it would apply to me.

we have following problem. We have a mixed multi-domain one-forest AD environment. We also have still a mixed exchange 2007 / 2013 environment. We also have different CAS Servers for 2007 and 2013 in europe and one 2007 CAS Server in China, because of bad connection to Europe. For the Migration to 2013 in Europe we installed a wildcard-certificate *.xyz.com and used the Set-OutlookProvider EXPR -CertPrincipalName msstd:*.xyz.com as described in your article. Everything in Europe works fine, inside and outside also between exchange 2007 and 2013 (both CAS Server 2013 and 2007 use the same wildcard certificate). But since the change of the Set-OutlookProvider EXPR we are facing problems with our CAS Server in China, because this server has a different non-wildcard certificate and a different domain name (cas-server.xyz-china.com instead xyz.com). Now we have the problem that this Chinese CAS server the Outlook Anywhere does not work anymore and prompts always for the username. As I see it is because of the EXPR change. Is it possible to set the the Outlook-Provider EXPR per Cas-Server ? (They also have their own Autodiscover on this front-end server). Because I see that the Outlook-Provider can only be stored forest-wide.
If not the other solution would be to register the chinese cas server in our xyz.com domain and use the same wildcard certificate on this system right ?
Any help would be appreciate….

Yeah, you got it right. The EXPR is global. Once you are using a wildcard somewhere your in a pickle 🙂 so either or the two, have China on the same domain , or move back to a Multi SAN/ single name cert.

But what about the autodiscover process then, because they still use their email-Adresses of @xyz-china.com …. So they will connect to autodiscover.xyz-china.com. But this is then also the wrong certificate when I register this server to xyz.com… I think we have to go to a Multi SAN Certificate….

I have exact issue like above where i have follow above steps but still failed. My environment is exchange 2010 sp3/exchange 2013 cu8. I cant connect using both outlook 2010/2013 to exchange 2013, while user in exchange 2010 have no issue. New or migrated user in exchange 2013 having this issue. We used san public cert and already set outlookprovider to mail.domain.com.
Our exchange 2010 is using cas array. The weird part is i’m able to create outlook profile but it resolve to cas array name of exch 2010. Pls help me

I’m able to resolve my problem using that article. :-). However, do i need to setup EXCH and EXPR using set-outlookprovider ? What for this setting ? i thought user is using autodiscover service to lookup for the mailbox. i may not understand that setting at all.

Hi, I’ve the same issue and my Exchange 2010 CAS Array is not ambiguous i.e.. Unique namespace. Still while configuring the Exchange 2013 mailbox resolves to the CAS Array for Exchange 2010 in Outlook 2013 SP1 with all the updates. Scenario is same what Ismail mentioned. Please help

Great information. I have no problems internally, but if a user goes outside the network and is connected through DirectAccess, Outlook continues to prompt for a password. Does that have something to do with the authentication? It is set to:

I am in the process of migrating 2010 to 2013 exchange server 3:3 (CAS:MBX). Clients are mixed of outlook 2007, 2010, 2013. single domain, single forest

Exchange 2013 is internet facing one now. In a co-existence mode started migrating the mailbox. Actually we are using a SAN cert on Exchange 2010 and new wild card on Exchange 2013.

After the mailbox movement, mailboxes which are sitting in exchange 2013 are not connecting to OA except outlook 2013 clients. while mailboxes still not migrated are working fine with all clients. EXCH & EXPR are configured with *.wildcard. pl. advice. is it breaking OA?

Configuring new wild card certificate on exchange 2010 will work? if so is there any impacts?

Hi pete, sorry for the delay. Exchange 2013 should proxy your requests for all clients. Including your 2010 ones with Exchange 2010 as the back end.
Make sure you did setup the required authentication settings on the 2010 side, mainly enabling Windows Authentication on the /rpc vdir.

Hi, I have migrate mailbox from 2010 to 2013, after migration my outlook 2013 ask me my username/pwd.
And is that for all my new user in 2013 server.
I do all your step and my problem is still present.
Do you have a idea ?
Tk for you help

I was going through your article and found very informative and impressive. In my situation my company having Exchange 2010, 2013 in mix mode, different urls and placed in different geographic, in same exchange organization.

The region having E2k10 is planned to upgrade to Exchange 2013. Now during investigation i found that there are multiple DNS names configured for this region along with different OWA urls and autodiscover from E2k13 site.

Below are the queries.

1. How to tackle multiple DNS names like autodiscover.de.abc.com , autodiscover.au.abc.com ..like 13 smtp name space.
2. in current i can see EXPR , WEB & EXCH details are blank but TTL value is 1.
3. expr settings are applied through group ploicy?

Amit, a thumb rule will be minimize url’s so I vote pro changing all 2010 url’s to the one you will set the 2013 too.
So – install and setup 2013, and then test, then change all to point to 2013. It will proxy everything to 2010 so you should be okay.

As to autodiscover, I would recommend the redirection approach either with an HTTP redirection or the SRV. I like http much better.

thx Ilan.. yes, eliminating office 2007 will resolve all the issue together, eventually that is the plan but it will be very difficult to do so as it will take time. .
the latest public update for office 2007 was updated but with no luck.